This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
This replaces the two remaining instances of `esc_url_raw()` with `sanitize_url()` in WordPress core.
Follow-up to [53455], [53933], [54522].
Props rajinsharwar, SergeyBiryukov.
Fixes#59247.
Built from https://develop.svn.wordpress.org/trunk@56494
git-svn-id: http://core.svn.wordpress.org/trunk@56006 1a063a9b-81f0-0310-95a4-ce76da25c4cd
With the introduction of temporary backups of plugins and themes before updating, a new Site Health test was added to verify that plugin and theme temporary backup directories are writable or can be created.
When using a non-direct filesystem, the Site Health test did not include the required credentials, leading to a fatal error as the connection was not initialized properly.
This commit attemps to use the stored credentials if available, and displays a message otherwise.
Includes a similar fix in a function that performs a cleanup of the temporary backup directory.
Follow-up to [55720].
Props utsav72640, rajinsharwar, costdev, mukesh27, peterwilsoncc, audrasjb, SergeyBiryukov.
See #58940.
Built from https://develop.svn.wordpress.org/trunk@56341
git-svn-id: http://core.svn.wordpress.org/trunk@55853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves a WPCS warning:
> A gettext call containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Includes moving `wp-content` out of the translatable string in a similar message in `_wp_delete_all_temp_backups()`.
Follow-up to [55720], [56117].
Props jrf.
See #58831.
Built from https://develop.svn.wordpress.org/trunk@56276
git-svn-id: http://core.svn.wordpress.org/trunk@55788 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to make the update process more reliable and ensures that if a plugin or theme update fails, the previous version can be safely restored.
* When updating a plugin or theme, the old version is moved to a temporary backup directory:
* `wp-content/upgrade-temp-backup/plugins/[plugin-slug]` for plugins
* `wp-content/upgrade-temp-backup/themes/[theme-slug]` for themes.
* If the update fails, then the backup kept in the temporary backup directory is restored to its original location.
* If the update succeeds, the temporary backup is deleted.
To further help troubleshoot plugin and theme updates, two new checks were added to the Site Health screen:
* A check to make sure that the `upgrade-temp-backup` directory is writable.
* A check that there is enough disk space available to safely perform updates.
To avoid confusion: The temporary backup directory will NOT be used to “roll back” a plugin to a previous version after a completed update. This directory will simply contain a transient backup of the previous version of a plugin or theme being updated, and as soon as the update process finishes, the directory will be empty.
Follow-up to [55204], [55220].
Props afragen, costdev, pbiron, azaozz, hellofromTonya, aristath, peterwilsoncc, TJNowell, bronsonquick, Clorith, dd32, poena, TimothyBlynJacobs, audrasjb, mikeschroder, a2hosting, KZeni, galbaras, richards1052, Boniu91, mai21, francina, TobiasBg, desrosj, noisysocks, johnbillion, dlh, chaion07, davidbaumwald, jrf, thisisyeasin, ignatggeorgiev, SergeyBiryukov.
Fixes#51857.
Built from https://develop.svn.wordpress.org/trunk@55720
git-svn-id: http://core.svn.wordpress.org/trunk@55232 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Per [https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/#writing-include-require-statements WordPress PHP coding standards], it is ''strongly recommended'' to use `require[_once]` for unconditional includes. When using `include[_once]`, PHP will throw a warning when the file is not found but will continue execution, which will almost certainly lead to other errors/warnings/notices being thrown if your application depends on the file loaded, potentially leading to security leaks. For that reason, `require[_once]` is generally the better choice as it will throw a `Fatal Error` if the file cannot be found.
Follow-up to [1674], [1812], [1964], [6779], [8540], [10521], [11005], [11911], [16065], [16149], [25421], [25466], [25823], [37714], [42981], [45448], [47198], [54276], [55633].
Props kausaralm, SergeyBiryukov.
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55641
git-svn-id: http://core.svn.wordpress.org/trunk@55153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The value comes from `get_available_languages()`, which returns an array of strings.
This affects:
* `plugins_update_check_locales` filter.
* `update_plugins_{$hostname}` filter.
Follow-up to [36630], [46660], [50921], [53933], [54284].
See #55646.
Built from https://develop.svn.wordpress.org/trunk@54287
git-svn-id: http://core.svn.wordpress.org/trunk@53846 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset implements a clearer and more consistent timeout/duration/expiration format. It updates time durations used in various files, as per WordPress coding standards:
- If the value can be represented as an integer (not a fractional) number of minutes (hours, etc.), use the appropriate constant (e.g.: `MINUTE_IN_SECONDS`) multiplied by that number.
- Otherwise, keep the value as is and add a comment with the units for clarity.
Follow-up to [11823], [13177], [21996], [37747], [53714].
Props hztyfoon, audrasjb, arrasel403, krupalpanchal, GaryJ, SergeyBiryukov, peterwilsoncc, rudlinkon, costdev, robinwpdeveloper.
Fixes#56293.
See #55647.
Built from https://develop.svn.wordpress.org/trunk@54113
git-svn-id: http://core.svn.wordpress.org/trunk@53672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows third-party themes to avoid accidentally being overwritten with an update of a theme of a similar name from the WordPress.org Theme Directory.
Additionally, introduce the `update_themes_{$hostname}` filter, which third-party themes can use to offer updates for a given hostname.
If set, the `Update URI` header field should be a URI and have a unique hostname.
Some examples include:
* `https://wordpress.org/themes/example-theme/`
* `https://example.com/my-theme/`
* `my-custom-theme-name`
`Update URI: false` also works, and unless there is code handling the `false` hostname, the theme will never get an update notification.
If the header is present, the WordPress.org API will currently only return updates for the theme if it matches the following format:
* `https://wordpress.org/themes/{$slug}/`
* `w.org/theme/{$slug}`
If the header has any other value, the API will not return a result and will ignore the theme for update purposes.
Follow-up to [50921].
Props dd32, meloniq, costdev, audrasjb, DavidAnderson, markjaquith, DrewAPicture, mweichert, design_dolphin, filosofo, sean212, nhuja, JeroenReumkens, infolu, dingdang, joyously, earnjam, williampatton, grapplerulrich, markparnell, apedog, afragen, miqrogroove, rmccue, crazycoders, jdgrimes, damonganto, joostdevalk, jorbin, georgestephanis, khromov, GeekStreetWP, jb510, Rarst, juliobox, Ipstenu, mikejolley, Otto42, gMagicScott, TJNowell, GaryJ, knutsp, mordauk, nvartolomei, aspexi, chriscct7, benoitchantre, ryno267, lev0, gregorlove, dougwollison, leemon, SergeyBiryukov.
See #14179, #23318, #32101.
Built from https://develop.svn.wordpress.org/trunk@53933
git-svn-id: http://core.svn.wordpress.org/trunk@53492 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add the loaded php extensions as well as whether the server's image libraries support WebP and AVIF image formats to the data payload sent during upgrade checks. Collecting this data with the WordPress.org API will help the project make more data driven decisions about feature support. Note that all data can still be filtered with the `core_version_check_query_args` filter for privacy reasons.
Props dd32, SergeyBiryukov, mikeschroder, pbiron.
Fixes#48116.
Built from https://develop.svn.wordpress.org/trunk@53753
git-svn-id: http://core.svn.wordpress.org/trunk@53312 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
Follow-up to [11383], [13096], [51597], [53452].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes#55852.
Built from https://develop.svn.wordpress.org/trunk@53455
git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`phpversion()` return value and `PHP_VERSION` constant value are identical, but the latter is several times faster because it is a direct constant value lookup compared to a function call.
Props ayeshrajans, jrf, mukesh27, costdev, hellofromTonya, SergeyBiryukov.
Fixes#55680.
Built from https://develop.svn.wordpress.org/trunk@53426
git-svn-id: http://core.svn.wordpress.org/trunk@53015 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Currently in WordPress multisite there is a concept of large networks. The function `wp_is_large_network` is used to determine if a network has a large number of sites or users. If a network is marked as large, then
expensive queries to calculate user counts are not run on page load but deferred to scheduled events. However there are a number of places in a single site installation where this functionality would also be useful, as
expensive calls to count users and roles can make screens in the admin extremely slow.
In this change, the `get_user_count` function and related functionality around it is ported to be available in a single site context. This means that expensive calls to the `count_users` function are replaced with
calls to `get_user_count`. This change also includes a new function called `wp_is_large_user_count` and a filter of the same name, to mark if a site is large.
Props johnbillion, Spacedmonkey, Mista-Flo, lumpysimon, tharsheblows, obenland, miss_jwo, jrchamp, flixos90, macbookandrew, pento, desrosj, johnjamesjacoby, jb510, davidbaumwald, costdev.
Fixes#38741.
Built from https://develop.svn.wordpress.org/trunk@53011
git-svn-id: http://core.svn.wordpress.org/trunk@52600 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Revert the rollback features introduced for theme and plugin upgrades during the WordPress 5.9 cycle. A bug (suspected to be in third party virtualisation software) causes the upgrades to fail consistently on some set ups. The revert is to allow contributors further time to investigate mitigation options.
Reverts [52337], [52289], [52284], [51951], [52192], [51902], [51899], [51898], [51815].
Props pbiron, dlh, peterwilsoncc, galbaras, SergeyBiryukov, afragen, costdev, bronsonquick, aristath, noisysocks, desrosj, TobiasBg, hellofromTonya, francina, Boniu91.
See #54543, #54166, #51857.
Built from https://develop.svn.wordpress.org/trunk@52351
git-svn-id: http://core.svn.wordpress.org/trunk@51943 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Make sure the `wp_delete_temp_updater_backups` event has an action associated with it when it runs.
* Check if the cron event already exists before scheduling it, to avoid scheduling duplicate events.
* Move the code for clearing the `temp-backup` directory to a standalone function.
Follow-up to [51815], [51898], [51899].
Props pbiron, johnbillion.
See #51857.
Built from https://develop.svn.wordpress.org/trunk@52192
git-svn-id: http://core.svn.wordpress.org/trunk@51784 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `get_core_checksums()` and `wp_version_check()` functions call the PHP native `http_build_query()` function, the second parameter of which is the ''optional'' `$numeric_prefix` parameter which expects a non-nullable `string`.
A parameter being optional, however, does not automatically make it nullable.
As of PHP 8.1, passing `null` to a non-nullable PHP native function will generate a deprecation notice.
In this case, this function call yielded a `http_build_query(): Passing null to parameter #2 ($numeric_prefix) of type string is deprecated` notice.
Changing the `null` to an empty string fixes this without a backward compatibility break.
References:
* [https://www.php.net/manual/en/function.http-build-query.php PHP Manual: http_build_query()]
* [https://wiki.php.net/rfc/deprecate_null_to_scalar_internal_arg PHP RFC: Deprecate passing null to non-nullable arguments of internal functions]
Follow-up to [18697], [25540].
Props bjorsch, kraftbj, hellofromTonya, jrf.
See #54229.
Built from https://develop.svn.wordpress.org/trunk@52019
git-svn-id: http://core.svn.wordpress.org/trunk@51611 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows third-party plugins to avoid accidentally being overwritten with an update of a plugin of a similar name from the WordPress.org Plugin Directory.
Additionally, introduce the `update_plugins_{$hostname}` filter, which third-party plugins can use to offer updates for a given hostname.
If set, the `Update URI` header field should be a URI and have a unique hostname.
Some examples include:
* `https://wordpress.org/plugins/example-plugin/`
* `https://example.com/my-plugin/`
* `my-custom-plugin-name`
`Update URI: false` also works, and unless there is code handling the `false` hostname, the plugin will never get an update notification.
If the header is present, the WordPress.org API will currently only return updates for the plugin if it matches the following format:
* `https://wordpress.org/plugins/{$slug}/`
* `w.org/plugin/{$slug}`
If the header has any other value, the API will not return a result and will ignore the plugin for update purposes.
Props dd32, DavidAnderson, meloniq, markjaquith, DrewAPicture, mweichert, design_dolphin, filosofo, sean212, nhuja, JeroenReumkens, infolu, dingdang, joyously, earnjam, williampatton, grapplerulrich, markparnell, apedog, afragen, miqrogroove, rmccue, crazycoders, jdgrimes, damonganto, joostdevalk, jorbin, georgestephanis, khromov, GeekStreetWP, jb510, Rarst, juliobox, Ipstenu, mikejolley, Otto42, gMagicScott, TJNowell, GaryJ, knutsp, mordauk, nvartolomei, aspexi, chriscct7, benoitchantre, ryno267, lev0, gregorlove, dougwollison, SergeyBiryukov.
See #14179, #23318, #32101.
Built from https://develop.svn.wordpress.org/trunk@50921
git-svn-id: http://core.svn.wordpress.org/trunk@50530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `WP_AUTO_UPDATE_CORE` constant now supports `development` and `branch-development` values.
This makes it possible for sites to opt-in to updating to nightly builds without having to install a plugin.
Follow-up to [49245], [49292].
Props xkon, knutsp, afragen, audrasjb, dd32.
Fixes#51978.
Built from https://develop.svn.wordpress.org/trunk@50082
git-svn-id: http://core.svn.wordpress.org/trunk@49782 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `WP_AUTO_UPDATE_CORE` constant now supports `beta` and `rc` values.
This makes it possible for sites to opt-in to updating to RC (or beta) releases without having to install a plugin, or run on a development version.
Props dd32, knutsp.
Fixes#51319.
Built from https://develop.svn.wordpress.org/trunk@49245
git-svn-id: http://core.svn.wordpress.org/trunk@49007 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids the performance overhead of the function call every time `dirname( __FILE__ )` was used instead of `__DIR__`.
This commit also includes:
* Removing unnecessary parentheses from `include`/`require` statements. These are language constructs, not function calls.
* Replacing `include` statements for several files with `require_once`, for consistency:
* `wp-admin/admin-header.php`
* `wp-admin/admin-footer.php`
* `wp-includes/version.php`
Props ayeshrajans, desrosj, valentinbora, jrf, joostdevalk, netweb.
Fixes#48082.
Built from https://develop.svn.wordpress.org/trunk@47198
git-svn-id: http://core.svn.wordpress.org/trunk@46998 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WPCS 1.0.0 includes a bunch of new auto-fixers, which drops the number of coding standards issues across WordPress significantly. Prior to running the auto-fixers, there were 15,312 issues detected. With this commit, we now drop to 4,769 issues.
This change includes three notable additions:
- Multiline function calls must now put each parameter on a new line.
- Auto-formatting files is now part of the `grunt precommit` script.
- Auto-fixable coding standards issues will now cause Travis failures.
Fixes#44600.
Built from https://develop.svn.wordpress.org/trunk@43571
git-svn-id: http://core.svn.wordpress.org/trunk@43400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This code branch is responsible for running all autoupdates, including plugins and themes - which should run regardless of if there's a core autoupdate available.
This revert does not revert the `$timeout` changes, as these should still use cached data if it's available.
Ideally this should be decoupled from the core update check to allow background updates to operate even when the core update check is disabled or running more often than twice daily.
See #43103.
Built from https://develop.svn.wordpress.org/trunk@42653
git-svn-id: http://core.svn.wordpress.org/trunk@42482 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change reduces the number of API calls which WordPress makes to api.wordpress.org during release windows.
Previously the background updates would run upon every core update transient refresh, however now they'll only run if there's an update available.
The change also increases the cache period for plugin & theme checks when running via the cron, from never-cache to 2 hours, which should hopefully reduce the number of needless API calls.
Fixes#43103 for trunk.
Built from https://develop.svn.wordpress.org/trunk@42584
git-svn-id: http://core.svn.wordpress.org/trunk@42413 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Sergey Biryukov
costdev
Dion Hulse
John Blackbourn
audrasjb
Adam Silverstein
spacedmonkey
Peter Wilson
hellofromTonya
whyisjake
desrosj
Gary Pendergast